跨站请求伪造解决办法之——过滤referer

原创

剑握在手 2022-02-28 11:36:16 博主文章分类：Web安全 ©著作权

©著作权归作者所有：来自51CTO博客作者剑握在手的原创作品，请联系作者获取转载授权，否则将追究法律责任

当然，referer也是可以伪造的，Http请求本身就没有不能伪造的东西。

所以本方法只能在一定程度上防止非法请求，仅供参考。

项目的web.xml中增加过滤器：

<filter>
        <filter-name>RefererFilter</filter-name>
        <filter-class>com.sdyy.common.filters.RefererFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>RefererFilter</filter-name>
        <url-pattern>*.do</url-pattern>
    </filter-mapping>

项目中增加RefererFilter类：

package com.sdyy.common.filters;

import java.io.IOException;  

import javax.servlet.Filter;  
import javax.servlet.FilterChain;  
import javax.servlet.FilterConfig;  
import javax.servlet.ServletException;  
import javax.servlet.ServletRequest;  
import javax.servlet.ServletResponse;  
import javax.servlet.http.HttpServlet;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  

public class RefererFilter extends HttpServlet implements Filter {  

    private static final long serialVersionUID = 1L;  
    private FilterConfig filterConfig;  

    public void init(FilterConfig config) {  
        this.filterConfig = config;  
    }  

    public void doFilter(ServletRequest req, ServletResponse res,  
            FilterChain chain) throws ServletException, IOException {  

        HttpServletRequest request = (HttpServletRequest) req;  
        HttpServletResponse response = (HttpServletResponse) res;  
        // 链接来源地址  
        String referer = request.getHeader("referer");  
        if (referer == null || !referer.contains(request.getServerName())) {  
            /** 
             * 如果 链接地址来自其他网站，则返回错误页面 
             */  
            request.getRequestDispatcher("/WEB-INF/error.jsp").forward(request, response);  
        } else {   
            chain.doFilter(request, response);  
        }  
    }  

    public void destroy() {  
        this.filterConfig = null;  
    }  

}